Try the metrics.log. During each metrics dump (every 30 seconds), the "top X biggest Y" are written out. Where X is defaulted to ten (10), and Y is sourcetype, host, index, etc. The search string would read like:
index=_internal source=*metrics.log group=tcpin_connections | stats sum(kb) AS kb by os
You could also use the results from the os field in the tcpin_connections, to evaluate the OS while getting the accurate license usage from license_usage.log.